sean – Page 10 – 一江春水向东流

在arm64机器上快速搭建openvpn

由于测试需要直接通过内网上华为云测试，需要搭建vpn进行访问，在arm64机器上搭建方法如下：下载openvpn aarch64架构的rpm包：

wget https://cbs.centos.org/kojifiles/packages/openvpn/2.4.1/2.el7/aarch64/openvpn-2.4.1-2.el7.aarch64.rpm

1	wget https://cbs.centos.org/kojifiles/packages/openvpn/2.4.1/2.el7/aarch64/openvpn-2.4.1-2.el7.aarch64.rpm

yum安装时会报pkcs11找不着，所以下载此包：

wget https://download-ib01.fedoraproject.org/pub/epel/7/aarch64/Packages/p/pkcs11-helper-1.11-3.el7.aarch64.rpm

1	wget https://download-ib01.fedoraproject.org/pub/epel/7/aarch64/Packages/p/pkcs11-helper-1.11-3.el7.aarch64.rpm

安装：

yum install pkcs11-helper-1.11-3.el7.aarch64.rpm openvpn-2.4.1-2.el7.aarch64.rpm

1	yum install pkcs11-helper-1.11-3.el7.aarch64.rpm openvpn-2.4.1-2.el7.aarch64.rpm

下载一键配置脚本：

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

1	curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

在运行脚本之前，需要先创建目录：

mkdir /etc/openvpn/
sh openvpn-install.sh

1 2	mkdir /etc/openvpn/ sh openvpn-install.sh

server.conf配置：

duplicate-cn # 如过是多个用户共用一个认证来登录的话， 需要配置
max-clients 100 # 最多能连接的客户端

#配置路由

push "route 10.166.0.0 255.255.0.0"
push "route 10.3.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 172.0.0.0 255.0.0.0"
push "route 192.168.0.0 255.255.0.0"


push "dhcp-option DNS 10.10.6.11"
push "dhcp-option DNS 100.125.1.250"

status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

duplicate-cn # 如过是多个用户共用一个认证来登录的话，需要配置

max-clients 100 # 最多能连接的客户端

#配置路由

push "route 10.166.0.0 255.255.0.0"

push "route 10.3.0.0 255.255.0.0"

push "route 10.10.0.0 255.255.0.0"

push "route 172.0.0.0 255.0.0.0"

push "route 192.168.0.0 255.255.0.0"

push "dhcp-option DNS 10.10.6.11"

push "dhcp-option DNS 100.125.1.250"

status /var/log/openvpn/status.log

log-append /var/log/openvpn/openvpn.log

配置防火墙：

*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]

#OpenVPN
-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

COMMIT

1

2

3

4

5

6

7

8

9

10

11

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

#OpenVPN

-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

COMMIT

打开内核转发： net.ipv4.ip_forward = 1 也可以配置udp和tcp都监听, 方法如下：

把/etc/openvpn/server.conf复制一份，比如/etc/openvpn/tcp.conf，然后修改tcp.conf：

协议修改为TCP：proto tcp
IP地址修改略作修改，比如所有原来是10.8.0.x的地方，都改为10.8.1.x
2. 修改防火墙
然后修改iptables，增加一条nat规则-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE。
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

3. 启动进程
 /usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf
4. 添加开机启动
/etc/systemd/system/openvpntcp@.service

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf

[Install]
WantedBy=multi-user.target
重载服务，添加为开启启动

systemctl daemon-reload
systemctl restart openvpntcp@server
systemctl enable openvpntcp@server
systemctl  list-unit-files |grep openvpntcp
客户端ovpn配置
生成的客户端配置，只需要修改udp为tcp.
其中如果remote有2个的话，代表负载均衡，如果其中一个连接不上，会自动连接另外一个

client
proto tcp
remote x.x.x.x 11111
remote x.x.x.x 12222 
......

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

把/etc/openvpn/server.conf复制一份，比如/etc/openvpn/tcp.conf，然后修改tcp.conf：

协议修改为TCP：proto tcp

IP地址修改略作修改，比如所有原来是10.8.0.x的地方，都改为10.8.1.x

2. 修改防火墙

然后修改iptables，增加一条nat规则-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE。

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

3. 启动进程

/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf

4. 添加开机启动

/etc/systemd/system/openvpntcp@.service

[Unit]

Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I

After=network.target

[Service]

Type=notify

PrivateTmp=true

ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf

[Install]

WantedBy=multi-user.target

重载服务，添加为开启启动

systemctl daemon-reload

systemctl restart openvpntcp@server

systemctl enable openvpntcp@server

systemctl list-unit-files |grep openvpntcp

客户端ovpn配置

生成的客户端配置，只需要修改udp为tcp.

其中如果remote有2个的话，代表负载均衡，如果其中一个连接不上，会自动连接另外一个

client

proto tcp

remote x.x.x.x 11111

remote x.x.x.x 12222

......

By sean, 5 years04/21/2020 ago

Kata container 简介 Kata Container 是两个现有的开源项目合并：Intel Clear Containers和Hyper runV。 Intel Clear Container项目的目标是通过英特尔®虚拟化技术（VT）解决容器内部的安全问题，并且能够将容器作为轻量级虚拟机（VM）启动，提供了一个可选的运行时间，专注于性能（<100ms启动时间），可与Kubernetes 和Docker 等常用容器环境互操作。英特尔®Clear Container表明，安全性和性能不必是一个折衷，将硬件隔离的安全性与容器的性能可以兼得。 hyper runV优先于技术无关支持许多不同的CPU架构和管理程序。容器安全使用Docker轻量级的容器时，最大的问题就是会碰到安全性的问题，其中几个不同的容器可以互相的进行攻击，如果把这个内核给攻掉了，其他所有容器都会崩溃。如果使用KVM等虚拟化技术，会完美解决安全性的问题，但响应的性能会受到一定的影响。单单就Docker来说，安全性可以概括为两点：不会对主机造成影响不会对其他容器造成影响所以安全性问题90%以上可以归结为隔离性问题。而Docker的安全问题本质上就是容器技术的安全性问题，这包括共用内核问题以及Namespace还不够完善的限制： /proc、/sys等未完全隔离 Top, free, iostat等命令展示的信息未隔离 Root用户未隔离 /dev设备未隔离内核模块未隔离 SELinux、time、syslog等所有现有Namespace之外的信息都未隔离当然，镜像本身不安全也会导致安全性问题。 kata 隔离技术我们都知道 Docker 等一类的容器使用 Cgroup 进行资源限制，使用 linux 的 namespace 机制对容器进行隔离，但在实际运行中，仍是由宿主机向容器直接提供网络、存储、计算等资源，虽然性能损失很小，但存在一定的安全问题。 Kata Containers是一个开放源代码社区，致力于通过轻量级虚拟机来构建安全的容器运行时，这些虚拟机的感觉和性能类似于容器，但是使用硬件虚拟化技术作为第二防御层，可以提供更强的工作负载隔离。 kata 底层实现了Intel Clear Containers的最佳部分与Hyper.sh RunV合并，并进行了扩展，以包括对主要架构的支持，包括x86_64之外的AMD64，ARM，IBM Read more…

By sean, 5 years04/03/2020 ago

KUBERNETES

使用 Sealos 在 3 分钟内快速部署一个生产级别的 Kubernetes 高可用集群

前段时间，我们在「使用 Kind 在 5 分钟内快速部署一个 Kubernetes 高可用集群」一文中介绍了如何使用 Kind 这个开箱即可快速部署 Kubernetes 高可用集群的神器，相信不少同学用上这个神器后大大的降低了 Kubernetes 集群的部署难度和提高了 Kubernetes 集群的部署速度。不过有一点比较遗憾的是 Kind 当前仅仅支持在本地快速构建一个开发或者测试环境，目前暂时还是不支持在生产环境中部署 Kubernetes 高可用集群的。今天，我们就要给大家介绍另一款可以支持在生产环境中部署 Kubernetes 高可用集群的利器 Sealos。什么是 Sealos ？ Sealos 是一个 Go 语言开发的简单干净且轻量的 Kubernetes 集群部署工具，Sealos 能很好的支持在生产环境中部署高可用的 Kubernetes 集群。 Sealos 架构图 Sealos 特性与优势支持离线安装，工具与部署资源包分离，方便不同版本间快速升级。证书有效期默认延期至 99 年。工具使用非常简单。支持使用自定义配置文件，可灵活完成集群环境定制。使用内核进行本地负载，稳定性极高，故障排查也极其简单。 Sealos 设计原则和工作原理 1. Read more…

By sean, 5 years03/23/2020 ago

KUBERNETES

kubernetes生产环境下的iptables安全配置

控制节点（主节点）所需要的端口如下：协议端口服务 TCP 6443 k8s API server TCP 2379-2380 etcd server client API TCP 10250 Kubelet API TCP 10251 kube-scheduler TCP 10252 kube-controller-manager TCP 10255 Read-only Kubelet API UDP 8472 flannel TCP 9099,9100 calico TCP 179 bgp TCP 111 rpcbind 使用 NFS 作为持久化存储 IPIP Calico 需要允许 IPIP 协议 Read more…

By sean, 5 years03/21/2020 ago

KUBERNETES

NetworkPolicy网络策略

资源隔离设计本案例使用NetworkPolicy来进行资源隔离要实现的目的: 用户isv应用不能访问k8s集群应用 k8s集群应用可以访问isv应用 isv应用可以访问外网本案例的架构图: 创建isv-demon namespace

ns=isv-demo
kubectl create ns $ns
kubectl config set-context \
  --current \
  --namespace $ns
  
 kubectl label ns $ns name=$ns
 # 如果kube-system没有label, 则打上
 kubectl lable ns kube-system name=kube-system

1

2

3

4

5

6

7

8

9

ns=isv-demo

kubectl create ns $ns

kubectl config set-context \

--current \

--namespace $ns

kubectl label ns $ns name=$ns

# 如果kube-system没有label, 则打上

kubectl lable ns kube-system name=kube-system

定义资源为了不跟宿主机端口冲突, web的service端口定义为8800

apiVersion: apps/v1
kind: Deployment
metadata:
  name: db
  labels:
    app: db
spec:
  replicas: 1
  selector:
    matchLabels:
      app: db
  template:
    metadata:
      labels:
        app: db
    spec:
      containers:
      - name: couchdb
        image: "couchdb"
        ports:
        - containerPort: 5984
        env:
        - name: COUCHDB_USER
          value: admin
        - name: COUCHDB_PASSWORD
          value: password

---
apiVersion: v1
kind: Service
metadata:
  name: db
spec:
  selector:
    app: db
  ports:
    - name: db
      port: 15984
      targetPort: 5984
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api
  labels:
    app: api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api
  template:
    metadata:
      labels:
        app: api
    spec:
      containers:
      - name: nodebrady
        image: mabenoit/nodebrady
        ports:
        - containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
  name: api
spec:
  selector:
    app: api
  ports:
    - name: api
      port: 8080
      targetPort: 3000
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  labels:
    app: web
spec:
  replicas: 1
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: web
spec:
  selector:
    app: web
  ports:
    - name: web
      port: 8800
      targetPort: 80
  type: ClusterIP

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

apiVersion: apps/v1

kind: Deployment

metadata:

labels:

app: db

spec:

replicas: 1

selector:

matchLabels:

app: db

template:

metadata:

labels:

app: db

spec:

containers:

- name: couchdb

image: "couchdb"

ports:

- containerPort: 5984

env:

- name: COUCHDB_USER

value: admin

- name: COUCHDB_PASSWORD

value: password

---

apiVersion: v1

kind: Service

metadata:

spec:

selector:

app: db

ports:

- name: db

port: 15984

targetPort: 5984

type: ClusterIP

---

apiVersion: apps/v1

kind: Deployment

metadata:

labels:

app: api

spec:

replicas: 1

selector:

matchLabels:

app: api

template:

metadata:

labels:

app: api

spec:

containers:

- name: nodebrady

image: mabenoit/nodebrady

ports:

- containerPort: 3000

---

apiVersion: v1

kind: Service

metadata:

spec:

selector:

app: api

ports:

- name: api

port: 8080

targetPort: 3000

type: ClusterIP

---

apiVersion: apps/v1

kind: Deployment

metadata:

labels:

app: web

spec:

replicas: 1

selector:

matchLabels:

app: web

template:

metadata:

labels:

app: web

spec:

containers:

- name: nginx

image: nginx

ports:

- containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

spec:

selector:

app: web

ports:

- name: web

port: 8800

targetPort: 80

type: ClusterIP

创建WEB, API and DB Pods/Services

kubectl apply \
 -f db-api-web-deployments.yaml

1 2	kubectl apply \ -f db-api-web-deployments.yaml

测试:

web=$(kubectl get svc web -o jsonpath='{.spec.clusterIP}'):8800)
echo $web
# curl web.isv-demo:8800
curl $(kubectl get svc web -o jsonpath='{.spec.clusterIP}'):8800
kubectl run curl-$RANDOM --image=radial/busyboxplus:curl --rm -it --generator=run-pod/v1 -n isv-demo
[ root@curl-3899:/ ]$ curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=con
[ root@curl-3899:/ ]$ curl http://db:15984
{"couchdb":"Welcome","version":"3.0.0","git_sha":"03a77db6c","uuid":"05616a1b6f1eccbed4f24d3e6d5526d2","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
[ root@curl-3899:/ ]$ # exit

1

2

3

4

5

6

7

8

9

10

11

web=$(kubectl get svc web -o jsonpath='{.spec.clusterIP}'):8800)

echo $web

# curl web.isv-demo:8800

curl $(kubectl get svc web -o jsonpath='{.spec.clusterIP}'):8800

kubectl run curl-$RANDOM --image=radial/busyboxplus:curl --rm -it --generator=run-pod/v1 -n isv-demo

[ root@curl-3899:/ ]$ curl www.baidu.com

<!DOCTYPE html>

<html> <head><meta http-equiv=con

[ root@curl-3899:/ ]$ curl http://db:15984

{"couchdb":"Welcome","version":"3.0.0","git_sha":"03a77db6c","uuid":"05616a1b6f1eccbed4f24d3e6d5526d2","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

[ root@curl-3899:/ ]$ # exit

定义networkpolicy: deny-all

# deny-all-netpol.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: isv-demo
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

1

2

3

4

5

6

7

8

9

10

11

12

# deny-all-netpol.yaml

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

namespace: isv-demo

spec:

podSelector: {}

policyTypes:

- Ingress

- Egress

定义进栈和出栈访问:

# isv-demo-in-out.yaml
# 实现: 
# 1. namespace: isv-demo里的所有pod可以互相访问
# 2. namespace: isv-demo里的所有pod可以访问namespace: kube-system里的coredns的53端口
# 3. namespace: kube-system里的所有pod可以访问namespace: isv-demo里的所有pod
# 4. 访问外网限制: namespace: isv-demo里的所有pod可以访问除172.20.0.0/16(物理机)和172.23.0.0/16(calico)网段外的所有网段的80和443端口

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: isv-demo-in-out
  namespace: isv-demo
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: isv-demo
  - from:
    - namespaceSelector:
        matchLabels:
          name: kube-system
  # 这块定义了这三个端口全开放, 可根据需要进行限制
  - from: []
    ports:
      - protocol: TCP
        port: 8800
      - protocol: TCP
        port: 80
      - protocol: TCP
        port: 443
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: isv-demo
  # to kube-dns
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
      - port: 53
        protocol: UDP
      - port: 53
        protocol: TCP
  # to outside website
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
          - 172.20.0.0/16
          - 172.23.0.0/16
    ports:
      - protocol: TCP
        port: 80
      - protocol: TCP
        port: 443


# 注: developer-center为开发者中心namespace, 线上为c87e2267-1001-4c70-bb2a-ab41f3b81aa3

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

# isv-demo-in-out.yaml

# 实现:

# 1. namespace: isv-demo里的所有pod可以互相访问

# 2. namespace: isv-demo里的所有pod可以访问namespace: kube-system里的coredns的53端口

# 3. namespace: kube-system里的所有pod可以访问namespace: isv-demo里的所有pod

# 4. 访问外网限制: namespace: isv-demo里的所有pod可以访问除172.20.0.0/16(物理机)和172.23.0.0/16(calico)网段外的所有网段的80和443端口

kind: NetworkPolicy

apiVersion: networking.k8s.io/v1

metadata:

namespace: isv-demo

spec:

podSelector:

matchLabels:

ingress:

- from:

- namespaceSelector:

matchLabels:

- from:

- namespaceSelector:

matchLabels:

# 这块定义了这三个端口全开放, 可根据需要进行限制

- from: []

ports:

- protocol: TCP

port: 8800

- protocol: TCP

port: 80

- protocol: TCP

port: 443

egress:

- to:

- namespaceSelector:

matchLabels:

# to kube-dns

- to:

- namespaceSelector:

matchLabels:

podSelector:

matchLabels:

k8s-app: kube-dns

ports:

- port: 53

protocol: UDP

- port: 53

protocol: TCP

# to outside website

- to:

- ipBlock:

cidr: 0.0.0.0/0

except:

- 172.20.0.0/16

- 172.23.0.0/16

ports:

- protocol: TCP

port: 80

- protocol: TCP

port: 443

# 注: developer-center为开发者中心namespace, 线上为c87e2267-1001-4c70-bb2a-ab41f3b81aa3

创建NetworkPolicy

# Apply the first NetworkPolicy: deny all Ingress/Egress
kubectl apply \
  -f deny-all-netpol.yaml
 
# Apply the NetworkPolicy definition related to isv-demo-in-out
kubectl apply \
  -f isv-demo-in-out.yaml

1

2

3

4

5

6

7

# Apply the first NetworkPolicy: deny all Ingress/Egress

kubectl apply \

-f deny-all-netpol.yaml

# Apply the NetworkPolicy definition related to isv-demo-in-out

kubectl apply \

-f isv-demo-in-out.yaml

测试:

1. namespace: isv-demo里的所有pod可以互相访问
# 2. namespace: isv-demo里的所有pod可以访问namespace: kube-system里的coredns的53端口
# 3. namespace: kube-system里的所有pod可以访问namespace: isv-demo里的所有pod
# 4. 访问外网限制: namespace: isv-demo里的所有pod可以访问除172.20.0.0/16(物理机)和172.23.0.0/16(calico)网段外的所有网段的80和443端口

web=$(kubectl get svc web -o jsonpath='{.spec.clusterIP}'):8800
#======在namespace:isv-demo里测试=======
kubectl run curl-$RANDOM --image=radial/busyboxplus:curl --rm -it --generator=run-pod/v1 -n isv-demo
# --> 访问isv-demo的web服务
[ root@curl-24497:/ ]$ curl web:8800
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
# --> 访问isv-demo的db服务
[ root@curl-24497:/ ]$ curl http://db:15984
{"couchdb":"Welcome","version":"3.0.0","git_sha":"03a77db6c","uuid":"05616a1b6f1eccbed4f24d3e6d5526d2","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
# --> 访问外网baidu
[ root@curl-24497:/ ]$ curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html>
# --> ping外网baidu
[ root@curl-24497:/ ]$ ping www.baidu.com -c3 -W2
PING www.baidu.com (61.135.169.125): 56 data bytes

--- www.baidu.com ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
# --> 访问开发者中心的web地址
[ root@curl-24497:/ ]$ curl 172.20.58.132 --connect-timeout 5
curl: (28) Connection timed out after 5001 milliseconds
# --> 访问kube-system的某Pod的calico的IP
[ root@curl-24497:/ ]$ ping 172.23.166.156 -c3 -W2
PING 172.23.166.156 (172.23.166.156): 56 data bytes

--- 172.23.166.156 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
# --> 访问isv-demo里的pod的calico ip
[ root@curl-24497:/ ]$ ping 172.23.166.151
PING 172.23.166.151 (172.23.166.151): 56 data bytes
64 bytes from 172.23.166.151: seq=0 ttl=63 time=0.243 ms
[ root@curl-24497:/ ]$ exit


#======在namespace:kube-system里测试=======
kubectl run curl-$RANDOM --image=radial/busyboxplus:curl --rm -it --generator=run-pod/v1 -n kube-system
[ root@curl-23248:/ ]$ curl web.isv-demo:8800
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
[ root@curl-23248:/ ]$ curl web.isv-demo:8800
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
[ root@curl-23248:/ ]$ curl http://db.isv-demo:15984
{"couchdb":"Welcome","version":"3.0.0","git_sha":"03a77db6c","uuid":"05616a1b6f1eccbed4f24d3e6d5526d2","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
[ root@curl-23248:/ ]$ # exit

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

1. namespace: isv-demo里的所有pod可以互相访问

# 2. namespace: isv-demo里的所有pod可以访问namespace: kube-system里的coredns的53端口

# 3. namespace: kube-system里的所有pod可以访问namespace: isv-demo里的所有pod

# 4. 访问外网限制: namespace: isv-demo里的所有pod可以访问除172.20.0.0/16(物理机)和172.23.0.0/16(calico)网段外的所有网段的80和443端口

web=$(kubectl get svc web -o jsonpath='{.spec.clusterIP}'):8800

#======在namespace:isv-demo里测试=======

kubectl run curl-$RANDOM --image=radial/busyboxplus:curl --rm -it --generator=run-pod/v1 -n isv-demo

# --> 访问isv-demo的web服务

[ root@curl-24497:/ ]$ curl web:8800

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

# --> 访问isv-demo的db服务

[ root@curl-24497:/ ]$ curl http://db:15984

{"couchdb":"Welcome","version":"3.0.0","git_sha":"03a77db6c","uuid":"05616a1b6f1eccbed4f24d3e6d5526d2","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

# --> 访问外网baidu

[ root@curl-24497:/ ]$ curl www.baidu.com

<!DOCTYPE html>

<html>

# --> ping外网baidu

[ root@curl-24497:/ ]$ ping www.baidu.com -c3 -W2

PING www.baidu.com (61.135.169.125): 56 data bytes

--- www.baidu.com ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

# --> 访问开发者中心的web地址

[ root@curl-24497:/ ]$ curl 172.20.58.132 --connect-timeout 5

curl: (28) Connection timed out after 5001 milliseconds

# --> 访问kube-system的某Pod的calico的IP

[ root@curl-24497:/ ]$ ping 172.23.166.156 -c3 -W2

PING 172.23.166.156 (172.23.166.156): 56 data bytes

--- 172.23.166.156 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

# --> 访问isv-demo里的pod的calico ip

[ root@curl-24497:/ ]$ ping 172.23.166.151

PING 172.23.166.151 (172.23.166.151): 56 data bytes

64 bytes from 172.23.166.151: seq=0 ttl=63 time=0.243 ms

[ root@curl-24497:/ ]$ exit

#======在namespace:kube-system里测试=======

kubectl run curl-$RANDOM --image=radial/busyboxplus:curl --rm -it --generator=run-pod/v1 -n kube-system

[ root@curl-23248:/ ]$ curl web.isv-demo:8800

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

[ root@curl-23248:/ ]$ curl web.isv-demo:8800

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

[ root@curl-23248:/ ]$ curl http://db.isv-demo:15984

{"couchdb":"Welcome","version":"3.0.0","git_sha":"03a77db6c","uuid":"05616a1b6f1eccbed4f24d3e6d5526d2","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

[ root@curl-23248:/ ]$ # exit

总结: 首先一定要给namespace打label, 因为NetworkPolicy是根据lable来match的参考: https://alwaysupalwayson.blogspot.com/2019/09/kubernetes-network-policies-how-to.html https://github.com/mathieu-benoit/k8s-netpol 和 https://ahmet.im/blog/kubernetes-network-policy/ https://github.com/ahmetb/kubernetes-network-policy-recipes Read more…

By sean, 5 years03/20/2020 ago

未分类

ansible安装mariadb

最近在搞mariadb的高可用安装, 直接使用的官方ansible, 坑太多了, 现在记录下来官方脚本下载: ansible-galaxy install geerlingguy.mysql 需要修改的地方: roles/tasks/main.yml

---
# Variable configuration.
- include_tasks: variables.yml

# Setup/install tasks.
- include_tasks: setup-RedHat.yml
  when: ansible_os_family == 'RedHat' and not uninstall_mysql

- include_tasks: setup-Debian.yml
  when: ansible_os_family == 'Debian' and not uninstall_mysql

- include_tasks: setup-Archlinux.yml
  when: ansible_os_family == 'Archlinux' and not uninstall_mysql

- name: Check if MySQL packages were installed.
  set_fact:
    mysql_install_packages: "{{ (rh_mysql_install_packages is defined and rh_mysql_install_packages.changed)
      or (deb_mysql_install_packages is defined and deb_mysql_install_packages.changed)
      or (arch_mysql_install_packages is defined and arch_mysql_install_packages.changed) }}"
  when: not uninstall_mysql

- name: Include task list in play only if the condition is true
  include_tasks: "{{ item }}"
  with_items:
    - configure.yml
    - secure-installation.yml
    - databases.yml
    - users.yml
    - replication.yml
  when: not uninstall_mysql

- name: Uninstall mariadb
  include: uninstall.yml
  when: uninstall_mysql

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

---

# Variable configuration.

- include_tasks: variables.yml

# Setup/install tasks.

- include_tasks: setup-RedHat.yml

when: ansible_os_family == 'RedHat' and not uninstall_mysql

- include_tasks: setup-Debian.yml

when: ansible_os_family == 'Debian' and not uninstall_mysql

- include_tasks: setup-Archlinux.yml

when: ansible_os_family == 'Archlinux' and not uninstall_mysql

- name: Check if MySQL packages were installed.

set_fact:

mysql_install_packages: "{{ (rh_mysql_install_packages is defined and rh_mysql_install_packages.changed)

or (deb_mysql_install_packages is defined and deb_mysql_install_packages.changed)

or (arch_mysql_install_packages is defined and arch_mysql_install_packages.changed) }}"

when: not uninstall_mysql

- name: Include task list in play only if the condition is true

include_tasks: "{{ item }}"

with_items:

- configure.yml

- secure-installation.yml

- databases.yml

- users.yml

- replication.yml

when: not uninstall_mysql

- name: Uninstall mariadb

include: uninstall.yml

when: uninstall_mysql

roles/tasks/configure.yml: 如果要自定义一些目录的话, 需要创建目录并修改文件夹权限

---
- name: Get MySQL version.
  command: 'mysql --version'
  register: mysql_cli_version
  changed_when: false
  check_mode: false

- name: Copy my.cnf global MySQL configuration.
  template:
    src: my.cnf.j2
    dest: "{{ mysql_config_file }}"
    owner: root
    group: root
    mode: 0644
    force: "{{ overwrite_global_mycnf }}"
  notify: restart mysql

- name: Verify mysql include directory exists.
  file:
    path: "{{ mysql_config_include_dir }}"
    state: directory
    owner: root
    group: root
    mode: 0755
  when: mysql_config_include_files | length

- name: Copy my.cnf override files into include directory.
  template:
    src: "{{ item.src }}"
    dest: "{{ mysql_config_include_dir }}/{{ item.src | basename }}"
    owner: root
    group: root
    mode: 0644
    force: "{{ item.force | default(False) }}"
  with_items: "{{ mysql_config_include_files }}"
  notify: restart mysql

- name: Create slow query log file (if configured).
  shell: >
    mysql_slow_query_log_file={{ mysql_slow_query_log_file }};
    mkdir -p ${mysql_slow_query_log_file%/*};
    touch ${mysql_slow_query_log_file}
  when: mysql_slow_query_log_enabled

- name: Create datadir if it does not exist
  file:
    path: "{{ mysql_datadir }}"
    state: directory
    owner: mysql
    group: mysql
    mode: 0755
    setype: mysqld_db_t

- name: Set ownership on slow query log file (if configured).
  file:
    path: "{{ mysql_slow_query_log_file }}"
    state: file
    owner: mysql
    group: "{{ mysql_log_file_group }}"
    mode: 0640
  when: mysql_slow_query_log_enabled

- name: Create error log directory (if configured).
  shell: >
    mysql_log_error={{ mysql_log_error }};
    mkdir -p ${mysql_log_error%/*};
    touch ${mysql_log_error};
    chown -R mysql:{{ mysql_log_file_group }} ${mysql_log_error%/*}
  when:
    - mysql_log == ""
    - mysql_log_error != ""
  tags: ['skip_ansible_galaxy']

- name: Set ownership on error log file (if configured).
  file:
    path: "{{ mysql_log_error }}"
    state: file
    owner: mysql
    group: "{{ mysql_log_file_group }}"
    mode: 0640
  when:
    - mysql_log == ""
    - mysql_log_error != ""
  tags: ['skip_ansible_galaxy']

- name: Create socket/pid directory
  shell: >
    mysql_pid_file={{ mysql_pid_file }};
    mysql_socket={{ mysql_socket }};
    for file in `echo $mysql_pid_file $mysql_socket`; do
      dir=${file%/*};
      if [[ ! -d $dir ]]; then
        mkdir -p ${dir}
        chown mysql:mysql ${dir}
        chmod 0755 ${dir}
      else
        echo "$dir already exist"
      fi
    done

- name: Create tmpdir if it does not exist
  file:
    path: "{{ mysql_tmpdir }}"
    state: directory
    owner: mysql
    group: mysql
    mode: 0777
    
- name: init mysql db
  shell: >
    mysql_install_db --user=mysql --basedir=/usr --datadir={{ mysql_datadir }}
  ignore_errors: true

- name: Ensure MySQL is started and enabled on boot.
  service: "name={{ mysql_daemon }} state=started enabled={{ mysql_enabled_on_startup }}"
  register: mysql_service_configuration

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

---

- name: Get MySQL version.

command: 'mysql --version'

register: mysql_cli_version

changed_when: false

check_mode: false

- name: Copy my.cnf global MySQL configuration.

template:

src: my.cnf.j2

dest: "{{ mysql_config_file }}"

owner: root

group: root

mode: 0644

force: "{{ overwrite_global_mycnf }}"

notify: restart mysql

- name: Verify mysql include directory exists.

file:

path: "{{ mysql_config_include_dir }}"

state: directory

owner: root

group: root

mode: 0755

when: mysql_config_include_files | length

- name: Copy my.cnf override files into include directory.

template:

src: "{{ item.src }}"

dest: "{{ mysql_config_include_dir }}/{{ item.src | basename }}"

owner: root

group: root

mode: 0644

force: "{{ item.force | default(False) }}"

with_items: "{{ mysql_config_include_files }}"

notify: restart mysql

- name: Create slow query log file (if configured).

shell: >

mysql_slow_query_log_file={{ mysql_slow_query_log_file }};

mkdir -p ${mysql_slow_query_log_file%/*};

touch ${mysql_slow_query_log_file}

when: mysql_slow_query_log_enabled

- name: Create datadir if it does not exist

file:

path: "{{ mysql_datadir }}"

state: directory

owner: mysql

group: mysql

mode: 0755

setype: mysqld_db_t

- name: Set ownership on slow query log file (if configured).

file:

path: "{{ mysql_slow_query_log_file }}"

state: file

owner: mysql

group: "{{ mysql_log_file_group }}"

mode: 0640

when: mysql_slow_query_log_enabled

- name: Create error log directory (if configured).

shell: >

mysql_log_error={{ mysql_log_error }};

mkdir -p ${mysql_log_error%/*};

touch ${mysql_log_error};

chown -R mysql:{{ mysql_log_file_group }} ${mysql_log_error%/*}

when:

- mysql_log == ""

- mysql_log_error != ""

tags: ['skip_ansible_galaxy']

- name: Set ownership on error log file (if configured).

file:

path: "{{ mysql_log_error }}"

state: file

owner: mysql

group: "{{ mysql_log_file_group }}"

mode: 0640

when:

- mysql_log == ""

- mysql_log_error != ""

tags: ['skip_ansible_galaxy']

- name: Create socket/pid directory

shell: >

mysql_pid_file={{ mysql_pid_file }};

mysql_socket={{ mysql_socket }};

for file in `echo $mysql_pid_file $mysql_socket`; do

dir=${file%/*};

if [[ ! -d $dir ]]; then

mkdir -p ${dir}

chown mysql:mysql ${dir}

chmod 0755 ${dir}

else

echo "$dir already exist"

fi

done

- name: Create tmpdir if it does not exist

file:

path: "{{ mysql_tmpdir }}"

state: directory

owner: mysql

group: mysql

mode: 0777

- name: init mysql db

shell: >

mysql_install_db --user=mysql --basedir=/usr --datadir={{ mysql_datadir }}

ignore_errors: true

- name: Ensure MySQL is started and enabled on boot.

service: "name={{ mysql_daemon }} state=started enabled={{ mysql_enabled_on_startup }}"

register: mysql_service_configuration

roles/tasks/database.yml: 注意修改默认字符集

---
- name: Ensure MySQL databases are present.
  mysql_db:
    name: "{{ item.name }}"
    login_user: "{{ mysql_root_username }}"
    login_password: "{{ mysql_root_password }}"
    login_unix_socket: "{{ mysql_socket }}"
    collation: "{{ item.collation | default('utf8mb4_unicode_ci') }}"
    encoding: "{{ item.encoding | default('utf8mb4') }}"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ mysql_databases }}"

1

2

3

4

5

6

7

8

9

10

11

---

- name: Ensure MySQL databases are present.

mysql_db:

login_user: "{{ mysql_root_username }}"

login_password: "{{ mysql_root_password }}"

login_unix_socket: "{{ mysql_socket }}"

collation: "{{ item.collation | default('utf8mb4_unicode_ci') }}"

encoding: "{{ item.encoding | default('utf8mb4') }}"

state: "{{ item.state | default('present') }}"

with_items: "{{ mysql_databases }}"

roles/tasks/variables.yml:

---
# Variable configuration.
- name: Include OS-specific variables.
  include_vars: "{{ item }}"
  with_first_found:
    - files:
        - "vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
        - "vars/{{ ansible_os_family }}.yml"
      skip: true

- name: Define mysql_packages.
  set_fact:
    mysql_packages: "{{ __mysql_packages | list }}"
  when: mysql_packages is not defined

- name: Define mysql_daemon.
  set_fact:
    mysql_daemon: "{{ __mysql_daemon }}"
  when: mysql_daemon is not defined

- name: Define mysql_slow_query_log_file.
  set_fact:
    mysql_slow_query_log_file: "{{ __mysql_slow_query_log_file }}"
  when: mysql_slow_query_log_file is not defined

- name: Define mysql_log_error.
  set_fact:
    mysql_log_error: "{{ __mysql_log_error }}"
  when: mysql_log_error is not defined

- name: Define mysql_syslog_tag.
  set_fact:
    mysql_syslog_tag: "{{ __mysql_syslog_tag }}"
  when: mysql_syslog_tag is not defined

- name: Define mysql_pid_file.
  set_fact:
    mysql_pid_file: "{{ __mysql_pid_file }}"
  when: mysql_pid_file is not defined

- name: Define mysql_config_file.
  set_fact:
    mysql_config_file: "{{ __mysql_config_file }}"
  when: mysql_config_file is not defined

- name: Define mysql_config_include_dir.
  set_fact:
    mysql_config_include_dir: "{{ __mysql_config_include_dir }}"
  when: mysql_config_include_dir is not defined

- name: Define mysql_socket.
  set_fact:
    mysql_socket: "{{ __mysql_socket }}"
  when: mysql_socket is not defined

- name: Define mysql_supports_innodb_large_prefix.
  set_fact:
    mysql_supports_innodb_large_prefix: "{{ __mysql_supports_innodb_large_prefix }}"
  when: mysql_supports_innodb_large_prefix is not defined

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

---

# Variable configuration.

- name: Include OS-specific variables.

include_vars: "{{ item }}"

with_first_found:

- files:

- "vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"

- "vars/{{ ansible_os_family }}.yml"

skip: true

- name: Define mysql_packages.

set_fact:

mysql_packages: "{{ __mysql_packages | list }}"

when: mysql_packages is not defined

- name: Define mysql_daemon.

set_fact:

mysql_daemon: "{{ __mysql_daemon }}"

when: mysql_daemon is not defined

- name: Define mysql_slow_query_log_file.

set_fact:

mysql_slow_query_log_file: "{{ __mysql_slow_query_log_file }}"

when: mysql_slow_query_log_file is not defined

- name: Define mysql_log_error.

set_fact:

mysql_log_error: "{{ __mysql_log_error }}"

when: mysql_log_error is not defined

- name: Define mysql_syslog_tag.

set_fact:

mysql_syslog_tag: "{{ __mysql_syslog_tag }}"

when: mysql_syslog_tag is not defined

- name: Define mysql_pid_file.

set_fact:

mysql_pid_file: "{{ __mysql_pid_file }}"

when: mysql_pid_file is not defined

- name: Define mysql_config_file.

set_fact:

mysql_config_file: "{{ __mysql_config_file }}"

when: mysql_config_file is not defined

- name: Define mysql_config_include_dir.

set_fact:

mysql_config_include_dir: "{{ __mysql_config_include_dir }}"

when: mysql_config_include_dir is not defined

- name: Define mysql_socket.

set_fact:

mysql_socket: "{{ __mysql_socket }}"

when: mysql_socket is not defined

- name: Define mysql_supports_innodb_large_prefix.

set_fact:

mysql_supports_innodb_large_prefix: "{{ __mysql_supports_innodb_large_prefix }}"

when: mysql_supports_innodb_large_prefix is not defined

roles/tasks/secure-installation.yml: 此文件坑较多, 若用官方的, 会出现没有mysql.user库的报错, 因为存在匿名帐户, 直接用mysql -uroot -p登录的话, 会看到没有默认的mysql库, 但是其实已经有库了, 只是登录时如果不写-h的话, 默认就直接解析到通过hostname了, 在my.cnf里添加skip-name-resolve,可以不通过DNS解析. 所以只能通过mysql -hlocalhost -uroot -p方式都能正确地进入到库, 所以更改如下: [ mysql -NBe 改为: mysql -NB -h localhost -e ] Read more…

By sean, 5 years02/20/2020 ago

未分类

iterm2远程连接中文显示乱码

问题: 服务器是ubuntu，用Mac的iterm2 ssh连上去，终端显示中文乱码，也不能输入中文，然而本地终端可以显示和输入。解决方法：这种情况一般是终端和服务器的字符集不匹配，MacOSX下默认的是utf8字符集。输入locale可以查看字符编码设置情况，而我的对应值是空的。因为我在本地和服务器都用zsh替代了bash，而且使用了oh-my-zsh，而默认的.zshrc没有设置为utf-8编码，所以本地和服务器端都要在.zshrc设置，步骤如下，bash对应.bash_profile或.bashrc文件。 1.在终端下输入

vim ~/.zshrc

1	vim ~/.zshrc

或者使用其他你喜欢的编辑器编辑~/.zshrc文件 2.在文件内容末端添加：

export LC_ALL=en_US.UTF-8 
export LANG=en_US.UTF-8

1 2	export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8

接着重启一下终端，或者输入source ~/.zshrc使设置生效。设置成功的话，在本地和登录到服务器输入locale回车会显示下面内容。

LANG="en_US.UTF-8" 
LC_COLLATE="en_US.UTF-8" 
LC_CTYPE="en_US.UTF-8" 
LC_MESSAGES="en_US.UTF-8" 
LC_MONETARY="en_US.UTF-8" 
LC_NUMERIC="en_US.UTF-8" 
LC_TIME="en_US.UTF-8" 
LC_ALL="en_US.UTF-8"

1

2

3

4

5

6

7

8

LANG="en_US.UTF-8"

LC_COLLATE="en_US.UTF-8"

LC_CTYPE="en_US.UTF-8"

LC_MESSAGES="en_US.UTF-8"

LC_MONETARY="en_US.UTF-8"

LC_NUMERIC="en_US.UTF-8"

LC_TIME="en_US.UTF-8"

LC_ALL="en_US.UTF-8"

这时，中文输入和显示都正常了。

By sean, 5 years02/11/2020 ago

OS

.vimrc.local配置

"VIM语言设置
set fileencodings=utf-8,ucs-bom,gb18030,gbk,gb2312,cp936
set termencoding=utf-8
set encoding=utf-8

"一行的字符超出80个的话就把那些字符的背景设为红色
syntax enable
set background=dark
colorscheme solarized
highlight OverLength ctermbg=red ctermfg=white guibg=#592929
match OverLength /\%131v.\+/
set foldmethod=indent
set foldlevel=99
" press space to fold/unfold code
nnoremap <space> za
vnoremap <space> zf
"set mouse=v
" NERDTree
map <F4> :NERDTreeToggle<CR>
map <C-l> :tabn<cr>             "下一个tab
map <C-h> :tabp<cr>             "上一个tab
map <C-n> :tabnew<cr>           "新tab
map <C-k> :bn<cr>               "下一个文件
map <C-j> :bp<cr>               "上一个文件
"NERDTree-Tabs
let NERDTreeWinPos="right"
"let g:nerdtree_tabs_open_on_console_startup=1       "设置打开vim的时候默认打开目录树
map <leader>n <plug>NERDTreeTabsToggle <CR>         "设置打开目录树的快捷键

""为方便复制，用<F2>开启/关闭行号显示:
nnoremap <F2> :set nonumber!<CR>:set foldcolumn=0<CR>
set pastetoggle=<F3>

set fileencodings=utf-8,ucs-bom,gb18030,gbk,gb2312,cp936
set termencoding=utf-8
set encoding=utf-8

autocmd BufNewFile *.py,*.cc,*.sh,*.java exec ":call SetTitle()"

autocmd BufNewFile *.py,*.cc,*.sh,*.java exec ":call SetTitle()"

"给脚本自动添加头部注释说明
func SetTitle()
    if expand("%:e") == 'sh'
        call setline(1,"#!/bin/bash")
        call setline(2, "##############################################################")
        call setline(3, "# File Name: ".expand("%"))
        call setline(4, "# Version: V1.0")
        call setline(5, "# Author: sean")
        call setline(6, "# Organization: yonyou")
        call setline(7, "# Created Time : ".strftime("%F %T"))
        call setline(8, "# Description:")
        call setline(9, "##############################################################")
        call setline(10, "")
    endif
endfunc

" golang
Plugin 'fatih/vim-go'
let g:go_version_warning = 0
let g:go_disable_autoinstall = 0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

"VIM语言设置

set fileencodings=utf-8,ucs-bom,gb18030,gbk,gb2312,cp936

set termencoding=utf-8

set encoding=utf-8

"一行的字符超出80个的话就把那些字符的背景设为红色

syntax enable

set background=dark

colorscheme solarized

highlight OverLength ctermbg=red ctermfg=white guibg=#592929

match OverLength /\%131v.\+/

set foldmethod=indent

set foldlevel=99

" press space to fold/unfold code

nnoremap <space> za

vnoremap <space> zf

"set mouse=v

" NERDTree

map <F4> :NERDTreeToggle<CR>

map <C-l> :tabn<cr> "下一个tab

map <C-h> :tabp<cr> "上一个tab

map <C-n> :tabnew<cr> "新tab

map <C-k> :bn<cr> "下一个文件

map <C-j> :bp<cr> "上一个文件

"NERDTree-Tabs

let NERDTreeWinPos="right"

"let g:nerdtree_tabs_open_on_console_startup=1 "设置打开vim的时候默认打开目录树

map <leader>n <plug>NERDTreeTabsToggle <CR> "设置打开目录树的快捷键

""为方便复制，用<F2>开启/关闭行号显示:

nnoremap <F2> :set nonumber!<CR>:set foldcolumn=0<CR>

set pastetoggle=<F3>

set fileencodings=utf-8,ucs-bom,gb18030,gbk,gb2312,cp936

set termencoding=utf-8

set encoding=utf-8

autocmd BufNewFile *.py,*.cc,*.sh,*.java exec ":call SetTitle()"

"给脚本自动添加头部注释说明

func SetTitle()

if expand("%:e") == 'sh'

call setline(1,"#!/bin/bash")

call setline(2, "##############################################################")

call setline(3, "# File Name: ".expand("%"))

call setline(4, "# Version: V1.0")

call setline(5, "# Author: sean")

call setline(6, "# Organization: yonyou")

call setline(7, "# Created Time : ".strftime("%F %T"))

call setline(8, "# Description:")

call setline(9, "##############################################################")

call setline(10, "")

endif

endfunc

" golang

Plugin 'fatih/vim-go'

let g:go_version_warning = 0

let g:go_disable_autoinstall = 0

By sean, 5 years01/16/2020 ago

未分类

golang vim环境搭建

主要使用到的是golang的vim插件vim-go，安装方法：（1）配置好自己的GOPATH和GOROOT；（2）在GOPATH目录下建立 src、pkg、main、bin四个目录；（3）安装插件管理器 Pathogen， (a) 在Pathogen的首页http://www.vim.org/scripts/script.php?script_id=2332 下载； (b) 将解压缩之后的autoload目录拷贝到 ~/.vim/autoload，如果原来没有这个目录的话，新建一个； (c) 编辑 ~/.vimrc 文件，在顶部加入行 call pathogen#infect()。（4）安装vim-go插件 (a) 进入目录 ~/.vim/bundle 后执行命令 git clone https://github.com/fatih/vim-go.git； (b) 编辑 ~/.vimrc 文件,加入以下内容，如果有有些配置项之前已有，保证配置一样就行； syntax enable filetype plugin on let g:go_disable_autoinstall = 0 （5）安装go tools 这里说的go tools主要是指 godef、goimports、godoc等工具（在/Users/wangjiajia/.vim/bundle/vim-go/plugin/go.vim中有配置） (a) 任意打开一个.go的文件，然后运行 :GoInstallBinaries，就是自动下载工具的二进制包进行安装；但由于 go的代码很多在github 和 golang.org 上，涉及到墙的问题。自动安装可能会失败。当然，你有梯子的话，除外； (b) 手工安装的步骤，进入到GOPATH的src目录下，运行如下命令 git clone https://github.com/golang/tools golang.org/x/tools Read more…

By sean, 5 years01/16/2020 ago

OS

CentOS7 yum 升级vim 8

# 卸载老的vim
yum remove vim-* -y

# 下载第三方yum源
wget -P /etc/yum.repos.d/ https://copr.fedorainfracloud.org/coprs/lbiaggi/vim80-ligatures/repo/epel-7/lbiaggi-vim80-ligatures-epel-7.repo

# install vim
yum install vim-enhanced sudo -y

# 验证vim版本
rpm -qa |grep vim

1

2

3

4

5

6

7

8

9

10

11

# 卸载老的vim

yum remove vim-* -y

# 下载第三方yum源

wget -P /etc/yum.repos.d/ https://copr.fedorainfracloud.org/coprs/lbiaggi/vim80-ligatures/repo/epel-7/lbiaggi-vim80-ligatures-epel-7.repo

# install vim

yum install vim-enhanced sudo -y

# 验证vim版本

rpm -qa |grep vim

By sean, 5 years01/16/2020 ago